All the vulnerabilites related to OpenStack - openstack-tripleo-heat-templates
cve-2017-12155
Vulnerability from cvelistv5
Published
2017-12-12 20:00
Modified
2024-09-16 17:22
Severity ?
Summary
A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume.
References
https://access.redhat.com/errata/RHSA-2018:1593vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:1627vendor-advisory, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=1489360x_refsource_CONFIRM
https://bugs.launchpad.net/tripleo/+bug/1720787x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2018:0602vendor-advisory, x_refsource_REDHAT
Impacted products
Vendor Product Version
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T18:28:16.604Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2018:1593",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:1593"
          },
          {
            "name": "RHSA-2018:1627",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:1627"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489360"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugs.launchpad.net/tripleo/+bug/1720787"
          },
          {
            "name": "RHSA-2018:0602",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:0602"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "openstack-tripleo-heat-templates",
          "vendor": "OpenStack",
          "versions": [
            {
              "status": "affected",
              "version": "Newton, Ocata, Pike and possibly older"
            }
          ]
        }
      ],
      "datePublic": "2017-09-20T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Incorrect Permission Assignment for Critical Resource",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-05-19T09:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2018:1593",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:1593"
        },
        {
          "name": "RHSA-2018:1627",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:1627"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489360"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugs.launchpad.net/tripleo/+bug/1720787"
        },
        {
          "name": "RHSA-2018:0602",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:0602"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "DATE_PUBLIC": "2017-09-20T00:00:00",
          "ID": "CVE-2017-12155",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "openstack-tripleo-heat-templates",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Newton, Ocata, Pike and possibly older"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "OpenStack"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Incorrect Permission Assignment for Critical Resource"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2018:1593",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:1593"
            },
            {
              "name": "RHSA-2018:1627",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:1627"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1489360",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489360"
            },
            {
              "name": "https://bugs.launchpad.net/tripleo/+bug/1720787",
              "refsource": "CONFIRM",
              "url": "https://bugs.launchpad.net/tripleo/+bug/1720787"
            },
            {
              "name": "RHSA-2018:0602",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:0602"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2017-12155",
    "datePublished": "2017-12-12T20:00:00Z",
    "dateReserved": "2017-08-01T00:00:00",
    "dateUpdated": "2024-09-16T17:22:48.181Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}